[SOLVED]Issues with proxy clamav

Shane_Treweek · September 24, 2021, 4:01am

I’m having an issue getting proxy/webfilter working with av basically the issue listed hereC-icap Service configuration and here Squidclamav doesn’t start - hangs during acitvating and takes 100% CPU (1 core)not sure if it’s an arm issue or if I’ve misconfigered something

m.traeumner · September 24, 2021, 7:35am

Did you try the things @mrmarkuz mentioned?
Please give us some more information about your configuration and error logs.

Shane_Treweek · September 24, 2021, 9:07am

Sorry for that I was using my phone i should have waited until i got home but I have tried the steps advised by @mrmarkuz and I did find the template was missing the reference following the steps to correct that added the reference

expand-template /etc/c-icap/c-icap.conf

/etc/c-icap/c-icap.conf:

Service squidclamav squidclamav.so

but the result was still the same

clamd@squidclamav : The service is either not running or not enabled
c-icap : The service is either not running or not enabled

running
systemctl status c-icap

Results in

● c-icap.service - C-ICAP Server
Loaded: loaded (/usr/lib/systemd/system/c-icap.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/c-icap.service.d
└─squidclamav.conf
Active: inactive (dead) since Thu 2021-09-23 12:22:37 AEST; 1 day 6h ago

Sep 23 12:22:36 orion.ksatdesign.com.au systemd[1]: Starting C-ICAP Server…
Sep 23 12:22:37 orion.ksatdesign.com.au systemd[1]: Started C-ICAP Server.

and
systemctl status squidclamav
returns

Unit squidclamav.service could not be found.
but
yum install squidclamav
returns
Package squidclamav-6.16-1.ns7.armv7hl already installed and latest version

and
systemctl status clamd@squidclamav

Returns

● clamd@squidclamav.service - clamd scanner (squidclamav) daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/clamd@squidclamav.service.d
└─c-icap.conf
/etc/systemd/system/clamd@.service.d
└─reload.conf, timeout.conf
Active: inactive (dead) since Thu 2021-09-23 12:22:37 AEST; 1 day 7h ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Main PID: 10126 (code=exited, status=0/SUCCESS)

Sep 23 12:22:36 orion.ksatdesign.com.au clamd[10126]: OLE2 support enabled.
Sep 23 12:22:36 orion.ksatdesign.com.au clamd[10126]: PDF support enabled.
Sep 23 12:22:36 orion.ksatdesign.com.au clamd[10126]: SWF support enabled.
Sep 23 12:22:36 orion.ksatdesign.com.au clamd[10126]: HTML support enabled.
Sep 23 12:22:36 orion.ksatdesign.com.au clamd[10126]: XMLDOCS support enabled.
Sep 23 12:22:36 orion.ksatdesign.com.au clamd[10126]: HWP3 support enabled.
Sep 23 12:22:36 orion.ksatdesign.com.au clamd[10126]: Self checking every 600 seconds.
Sep 23 12:22:37 orion.ksatdesign.com.au systemd[1]: Stopping clamd scanner (squidclamav) daemon…
Sep 23 12:22:37 orion.ksatdesign.com.au clamd[10126]: Pid file removed.
Sep 23 12:22:37 orion.ksatdesign.com.au systemd[1]: Stopped clamd scanner (squidclamav) daemon.

and
cat /var/log/clamav/clamscan.log

returns

Sat Sep 11 00:25:01 2021

Scanned Folder: //etc/suricata/rules/ET-emerging-web_specific_apps.rules: {HEX}php.include.remote.483.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-web_server.rules: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-current_events.rules: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-web_client.rules: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/squidGuard/blacklists.old/malware/domains: PhishTank.Phishing.7266216.UNOFFICIAL FOUND
/var/squidGuard/blacklists.old/malware/urls: PhishTank.Phishing.7198895.UNOFFICIAL FOUND
/var/squidGuard/blacklists.old/dating/domains: Porcupine.Phishing.52549.UNOFFICIAL FOUND
/var/squidGuard/blacklists/malware/domains: PhishTank.Phishing.7266216.UNOFFICIAL FOUND
/var/squidGuard/blacklists/malware/urls: PhishTank.Phishing.7198895.UNOFFICIAL FOUND
/var/squidGuard/blacklists/dating/domains: Porcupine.Phishing.52549.UNOFFICIAL FOUND
/var/lib/clamav-unofficial-sigs/dbs-is/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND
/var/lib/clamav-unofficial-sigs/dbs-lmd/sigpack.tgz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/var/lib/clamav/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND
/tmp/emerging.rules.tar.gz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8741189
Engine version: 0.103.3
Scanned directories: 21519
Scanned files: 120779
Infected files: 14
Data scanned: 6383.01 MB
Data read: 5563.83 MB (ratio 1.15:1)
Time: 5739.622 sec (95 m 39 s)
Start Date: 2021:09:11 00:25:01
End Date: 2021:09:11 02:00:40

Sun Sep 12 00:25:02 2021

Scanned Folder: //etc/suricata/rules/ET-emerging-web_specific_apps.rules: {HEX}php.include.remote.483.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-web_server.rules: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-current_events.rules: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-web_client.rules: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/squidGuard/blacklists.old/malware/domains: PhishTank.Phishing.7266216.UNOFFICIAL FOUND
/var/squidGuard/blacklists.old/malware/urls: PhishTank.Phishing.7198895.UNOFFICIAL FOUND
/var/squidGuard/blacklists.old/dating/domains: Porcupine.Phishing.52549.UNOFFICIAL FOUND
/var/squidGuard/blacklists/dating/domains: Porcupine.Phishing.52549.UNOFFICIAL FOUND
/var/lib/clamav-unofficial-sigs/dbs-is/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND
/var/lib/clamav-unofficial-sigs/dbs-lmd/sigpack.tgz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/var/lib/clamav/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND
/tmp/emerging.rules.tar.gz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8741053
Engine version: 0.103.3
Scanned directories: 23398
Scanned files: 133666
Infected files: 12
Data scanned: 7118.94 MB
Data read: 5922.10 MB (ratio 1.20:1)
Time: 6430.201 sec (107 m 10 s)
Start Date: 2021:09:12 00:25:02
End Date: 2021:09:12 02:12:12

Mon Sep 13 00:25:01 2021

Scanned Folder: //etc/suricata/rules/ET-emerging-web_specific_apps.rules: {HEX}php.include.remote.483.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-web_server.rules: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-current_events.rules: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-web_client.rules: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/squidGuard/blacklists.old/dating/domains: Porcupine.Phishing.52549.UNOFFICIAL FOUND
/var/squidGuard/blacklists/phishing/urls: PhishTank.Phishing.7198895.UNOFFICIAL FOUND
/var/squidGuard/blacklists/malware/urls: PhishTank.Phishing.7209932.UNOFFICIAL FOUND
/var/squidGuard/blacklists/dating/domains: Porcupine.Phishing.52549.UNOFFICIAL FOUND
/var/lib/clamav-unofficial-sigs/dbs-is/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND
/var/lib/clamav-unofficial-sigs/dbs-lmd/sigpack.tgz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/var/lib/clamav/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND
/tmp/emerging.rules.tar.gz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8740755
Engine version: 0.103.3
Scanned directories: 23426
Scanned files: 133742
Infected files: 12
Data scanned: 7303.68 MB
Data read: 5982.68 MB (ratio 1.22:1)
Time: 6405.576 sec (106 m 45 s)
Start Date: 2021:09:13 00:25:01
End Date: 2021:09:13 02:11:47

Tue Sep 14 00:25:01 2021

Scanned Folder: //etc/suricata/rules/ET-emerging-web_specific_apps.rules: {HEX}php.exe.globals.414.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-web_server.rules: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/etc/suricata/rules/ET-emerging-current_events.rules: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/var/squidGuard/blacklists.old/phishing/urls: PhishTank.Phishing.7198895.UNOFFICIAL FOUND
/var/squidGuard/blacklists.old/malware/urls: PhishTank.Phishing.7209932.UNOFFICIAL FOUND
/var/squidGuard/blacklists.old/dating/domains: Porcupine.Phishing.52549.UNOFFICIAL FOUND
/var/squidGuard/blacklists/phishing/urls: PhishTank.Phishing.7198895.UNOFFICIAL FOUND
/var/squidGuard/blacklists/dating/domains: Porcupine.Phishing.52549.UNOFFICIAL FOUND
/var/lib/clamav-unofficial-sigs/dbs-is/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND
/var/lib/clamav-unofficial-sigs/dbs-lmd/sigpack.tgz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
/var/lib/clamav/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND
/tmp/emerging.rules.tar.gz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 177360
Engine version: 0.103.3
Scanned directories: 23507
Scanned files: 134278
Infected files: 12
Data scanned: 6984.28 MB
Data read: 5809.13 MB (ratio 1.20:1)
Time: 2137.058 sec (35 m 37 s)
Start Date: 2021:09:14 00:25:01
End Date: 2021:09:14 01:00:38

also i ran c-icap-client -s squidclamav -f eicar.com
on the of chance it was working but i was getting false warnings
but the result was
Connection to 'localhost:1344' failed/timedout Failed to connect to icap server.....

m.traeumner · September 24, 2021, 11:07am

I checked it at my installation and I have similar results. The difference is, I don’t have a clamav log file and the last command

c-icap-client -s squidclamav -f eicar.com

doesn’t work, because it lokks like I don’t have c-icap

c-icap-client: command not found

@support_team
Can you help @Shane_Treweek and perhaps me too?

Shane_Treweek · September 24, 2021, 11:53am

just tried seeing if firewall was blocking connection
config set c-icap service status enabled TCPPorts 1334 UDPPorts 1334 access green signal-event firewall-adjust
but still same result

flatspin · September 24, 2021, 2:02pm

Did you try signal-event nethserver-squidclamav-update ?

Shane_Treweek · September 24, 2021, 2:45pm

Yes unfortunately didn’t change anything I did notice the c-icap.conf listed modules and service directory with lib64 I’m running 32bit arm and changing from lib64 to lib still didn’t work although the directory is available in lib I’m just not really sure what else to check

mrmarkuz · September 24, 2021, 7:22pm

I could reproduce on arm32. You were on the right track and found a bug.

The /usr/lib64 dir does not exist on arm32, it’s just /usr/lib. See Neth arm-dev at Github for similar issues in other packages.

A dirty hack is to symlink /usr/lib to /usr/lib64 and restart c-icap service.
The better method is to open a PR and change it in the template /etc/e-smith/templates/etc/c-icap/c-icap.conf/10base line 193:

# TAG: ModulesDir
# Format: ModulesDir dir
# Description:
#       The location of modules
# Default:
#       ModulesDir /usr/lib64/c_icap
ModulesDir {( -e '/usr/lib64/' ) ? "/usr/lib64" : "/usr/lib";}/c_icap

# TAG: ServicesDir
# Format: ServicesDir dir
# Description:
#       The location of services
# Default:
#       ServicesDir /usr/lib64/c_icap
ServicesDir {( -e '/usr/lib64/' ) ? "/usr/lib64" : "/usr/lib";}/c_icap

After applying the config with signal-event nethserver-squidclamav c-icap should start and work.

[root@netharmtest ~]# netstat -tlpn | grep c-icap
tcp        0      0 0.0.0.0:1344            0.0.0.0:*               LISTEN      9276/c-icap

If you can confirm this is working we should open a PR…

Shane_Treweek · September 25, 2021, 12:18am

i’ve tried that i think it’s working although no response for grep but the antivirus toggle is now showing on the web filter settings

Edit: i changed the folder to be lib instead of lib64 after reading your post properly i’ve updated the template to ServicesDir {( -e '/usr/lib64/' ) ? "/usr/lib64" : "/usr/lib";}/c_icap ill see if it fixed it once squidguard finishes saving on the web console

update: unfortunately still cant get the services enabled
systemctl status c-icap
reports

#truncated
 Drop-In: /etc/systemd/system/c-icap.service.d
           └─squidclamav.conf
   Active: inactive (dead) since Sat 2021-09-25 11:21:15 AEST; 26s ago

could that maybe part of the issue

i’ve also tried setting the Port 1344 to both localhost:1344 and 127.0.0.1:1344 in the template as suggested in this link in regards to a similar problem with c-icap in pfsense but no change

just had a thought my proxy is set to authentication could that be the issue does it need to be set to transparent

Final update:

i ran the following

yum remove squid clamav c-icap

then removed all references to the services in the firewall

then ran systemctl enable machines.target && systemctl start machines.target

then reinstalled from the web interface squid smtp proxy etc
and edited the file
nano /etc/e-smith/templates/etc/c-icap/c-icap.conf/10base
made the changes as advised above
and ran signal-event nethserver-squidclamav-update
and finaly

 netstat -tlpn | grep c-icap
tcp        0      0 0.0.0.0:1344            0.0.0.0:*               LISTEN      4663/c-icap

so it was a combination of things but definitely suggest doing an pr for the template

and i tested c-icap

c-icap-client -s squidclamav -f eicar.com
ICAP server:localhost, ip:127.0.0.1, port:1344

Error opening file eicar.com